Amazon Virtual Private Cloud
User Guide

Endpoints for Amazon DynamoDB

If you've already set up access to your DynamoDB tables from your VPC, you can continue to access the tables as you normally would after you set up an endpoint. However, take note of the following:

  • Your endpoint has a policy that controls the use of the endpoint to access DynamoDB resources. The default policy allows access by any user or service within the VPC, using credentials from any AWS account, to any DynamoDB resource. For more information, see Controlling Access to Services.

  • DynamoDB does not support resource-based policies (for example, on tables). Access to DynamoDB is controlled though the endpoint policy and IAM policies for individual IAM users and roles.

  • You cannot access Amazon DynamoDB Streams through a VPC endpoint.

  • Endpoints currently do not support cross-region requests—ensure that you create your endpoint in the same region as your DynamoDB tables.

  • If you use AWS CloudTrail to log DynamoDB operations, the log files contain the private IP address of the EC2 instance in the VPC and the endpoint ID for any actions performed through the endpoint.

Before you use endpoints with DynamoDB, ensure that you have also read the following general limitations: Endpoint Limitations.

Using Endpoint Policies for DynamoDB

The following are example endpoint policies for accessing DynamoDB.


All types of policies — IAM user policies and endpoint policies — must grant the necessary permissions for access to DynamoDB to succeed.

Example: Read-Only Access

You can create a policy that restricts actions to only listing and describing DynamoDB tables through the VPC endpoint.

{ "Statement": [ { "Sid": "ReadOnly", "Principal": "*", "Action": [ "dynamodb:DescribeTable", "dynamodb:ListTables" ], "Effect": "Allow", "Resource": "*" } ] }

Example: Restrict Access to a Specific Table

You can create a policy that restricts access to a specific DynamoDB table. In this example, the endpoint policy allows access to StockTable only.

{ "Statement": [ { "Sid": "AccessToSpecificTable", "Principal": "*", "Action": [ "dynamodb:Batch*", "dynamodb:Delete*", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Update*" ], "Effect": "Allow", "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/StockTable" } ] }

Using IAM Policies to Control Access to DynamoDB

You can create an IAM policy for your IAM users, groups, or roles to restrict access to DynamoDB tables from a specific VPC endpoint only. To do this, you can use the aws:sourceVpce condition key for the table resource in your IAM policy.

For more information about managing access to DynamoDB, see Authentication and Access Control for Amazon DynamoDB in the Amazon DynamoDB Developer Guide.

Example: Restrict Access from a Specific Endpoint

In this example, users are denied permission to work with DynamoDB tables, except if accessed through endpoint vpce-11aa22bb.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessFromSpecificEndpoint", "Action": "dynamodb:*", "Effect": "Deny", "Resource": "arn:aws:dynamodb:region:account-id:table/*", "Condition": { "StringNotEquals" : { "aws:sourceVpce": "vpce-11aa22bb" } } } ] }